Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-38585 | RHEL-06-000068 | SV-50386r3_rule | Medium |
Description |
---|
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2017-04-28 |
Check Text ( None ) |
---|
None |
Fix Text (F-43533r2_fix) |
---|
The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: # grub-crypt --sha-512 When prompted to enter a password, insert the following line into "/boot/grub/grub.conf" immediately after the header comments. (Use the output from "grub-crypt" as the value of [password-hash]): password --encrypted [password-hash] |